示例#1
0
  /**
   * Ensures the the policy is not empty. If found empty or null, a 'private' policy is generated
   * and returned. If creating for an object, the BucketOwnerCanonicalId must not be null. If found
   * null, then a bucket-creation is expected and ACLs will be expanded as such.
   *
   * @param requestUser
   * @param policy
   * @return
   */
  public static AccessControlPolicy processNewResourcePolicy(
      @Nonnull User requestUser,
      @Nullable AccessControlPolicy policy,
      @Nullable String bucketOwnerCanonicalId)
      throws Exception {
    AccessControlPolicy acPolicy = null;
    if (policy != null) {
      acPolicy = policy;
    } else {
      acPolicy = new AccessControlPolicy();
    }

    if (acPolicy.getOwner() == null) {
      acPolicy.setOwner(buildCanonicalUser(requestUser.getAccount()));
    }

    if (acPolicy.getAccessControlList() == null) {
      acPolicy.setAccessControlList(new AccessControlList());
    }

    if (acPolicy.getAccessControlList().getGrants() == null
        || acPolicy.getAccessControlList().getGrants().size() == 0) {
      // Add default 'fullcontrol' grant for owner.
      acPolicy
          .getAccessControlList()
          .getGrants()
          .add(
              new Grant(
                  new Grantee(buildCanonicalUser(requestUser.getAccount())),
                  ObjectStorageProperties.Permission.FULL_CONTROL.toString()));
    }

    if (bucketOwnerCanonicalId != null) {
      acPolicy.setAccessControlList(
          AclUtils.expandCannedAcl(
              acPolicy.getAccessControlList(),
              bucketOwnerCanonicalId,
              requestUser.getAccount().getCanonicalId()));
    } else {
      acPolicy.setAccessControlList(
          AclUtils.expandCannedAcl(
              acPolicy.getAccessControlList(), requestUser.getAccount().getCanonicalId(), null));
    }

    return acPolicy;
  }
示例#2
0
  /**
   * Checks grants and transforms grantees into canonicalId from eucalyptus account id or email
   * address
   *
   * @param acl
   * @return
   */
  public static AccessControlList scrubAcl(AccessControlList acl) {
    AccessControlList scrubbed = new AccessControlList();
    if (acl == null || acl.getGrants() == null || acl.getGrants().size() == 0) {
      return scrubbed;
    }

    String canonicalId = null;
    Grantee grantee;
    CanonicalUser canonicalUser;
    Group group;
    String email;

    for (Grant g : acl.getGrants()) {
      grantee = g.getGrantee();
      if (grantee == null) {
        continue; // skip, no grantee
      } else {
        canonicalUser = grantee.getCanonicalUser();
        group = grantee.getGroup();
        email = grantee.getEmailAddress();
      }

      canonicalId = canonicalUser == null ? null : resolveCanonicalId(canonicalUser.getID());
      if (canonicalId == null) {
        try {
          User user = Accounts.lookupUserByEmailAddress(email);
          if (user != null && user.isAccountAdmin() && user.getAccount() != null) {
            canonicalId = user.getAccount().getCanonicalId();
          }
        } catch (AuthException authEx) {
          // no-op, we'll check the group
        }
      }
      if (canonicalId == null && group != null && !Strings.isNullOrEmpty(group.getUri())) {
        ObjectStorageProperties.S3_GROUP foundGroup = AclUtils.getGroupFromUri(group.getUri());
        if (foundGroup == null) {
          throw new NoSuchElementException("URI: " + group.getUri() + " not found in group map");
        }
        // Group URI, use as canonicalId for now.
        canonicalId = group.getUri();
      }

      if (canonicalId == null) {
        throw new NoSuchElementException("No canonicalId found for grant: " + g.toString());
      } else {
        if (grantee.getCanonicalUser() == null) {
          grantee.setCanonicalUser(new CanonicalUser(canonicalId, ""));
        } else {
          grantee.getCanonicalUser().setID(canonicalId);
        }
      }
    }

    return acl;
  }